Re: HTTPD bug

Tom Fitzgerald (fitz@wang.com)
Mon, 17 Apr 95 22:01:21 EDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Terje Normann Marthinussen: "Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox)"
Previous message: David A. Wagner: "Re: passwd hashing algorithm"
In reply to: carson@lehman.com: "Re: HTTPD bug"

> >> It allows you to create a directory in a users home dir that can be
> >> accessed via mosaic/netscape.  well the bad bit of news is, if you sym
> >> link this dir to root (/), file ownership becomes non existent.
> >> 
> >> i was easily able to read the shadow passwd file!

> The easy fix is to run the daemon as nobody (which is what I do).
> chroot'ing will also take care of this sort of problem.

I do this too (both chrooting and running as a user with no privs) but it
isn't a complete fix.  Users can still read the passwordfiles in the WWW
tree that contain the passwords used to get at restricted documents.  Users
can also read the httpd configuration files and the sources for CGI
scripts, which might be a problem on some systems.

The only real fix is to avoid following symlinks.  This requires a code
change to the CERN httpd, which doesn't have a config-file option for this.

-- 
Tom Fitzgerald    1-508-967-5278    Wang Labs, Lowell MA, USA    fitz@wang.com

Next message: Terje Normann Marthinussen: "Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox)"
Previous message: David A. Wagner: "Re: passwd hashing algorithm"
In reply to: carson@lehman.com: "Re: HTTPD bug"